Monday, June 12, 2017

Will your DNA profile lead to the ultimate loss of your Privacy and Freedom?

from the yet-another-third-party-records-repository dept

[Update: after this post was published, Eric Heath of AncestryDNA emailed us with concerns about the post's content, considering the recent update to the site's terms of service. As Heath points out in a post at Ancestry's blog, the terms have been rewritten to make it explicit what Ancesty does and does not do with customers' submitted DNA:

First, we very clearly state that AncestryDNA does not “claim ownership rights in the DNA that is submitted for testing.” You own your DNA; this sentence helps make it clear that nothing we do takes, or has ever taken, that ownership from you.

Second, we’re clear that because you are owner of your DNA, we need you to grant us a license to your data so that we can provide our products and services to you and our other users, as well as develop new products and services. You can revoke this right at any time by requesting we delete your data or your account.

Third, we explicitly state that we will not share your genetic data with employers, insurance providers or third party marketers without first getting your consent. We already follow this procedure, but this language makes our commitment to you explicit.

The whole blog post and Ancestry's response to comments are worth reading. It appears the language restricting legal action to arbitration remains, but on the whole, it appears Ancestry is addressing the issues raised by Joel Winston's post.]

The first is the perpetual license users grant Ancestry.com for exploitation of their DNA data. Again, this sort of thing can be found at many services heavily-reliant on users' contributions. And many of those not only want your money, but the opportunity to sell off data as well.

Specifically, by submitting DNA to AncestryDNA, you agree to “grant AncestryDNA and the Ancestry Group Companies a perpetual, royalty-free, world-wide, transferable license to use your DNA, and any DNA you submit for any person from whom you obtained legal authorization as described in this Agreement, and to use, host, sublicense and distribute the resulting analysis to the extent and in the form or context we deem appropriate on or through any media or medium and with any technology or devices now known or hereafter developed or discovered.”

It's not particularly heinous. (Yes, I'm damning it with faint damnation.) But it's no better than countless other services, and this one deals with DNA, which is arguably more personal than, say, tweets... or coarse demographic info. It would be nice to know this up front. Ancestry.com can claim it does inform users of this, but it's part of a lengthy Terms and Conditions which contains enough dense language and boilerplate legalese to deter all but the most detail-oriented from reading it all the way through.

Opting out is, of course, much more difficult. As Winston notes, several hoops must be jumped through to pull your DNA out of this broad "agreement." It also takes the company 30 days to handle users' requests, and it doesn't affect any studies, etc. the company has already supplied with your DNA data. It also may involve phone calls, which is super fun in the age of digital communications that leave a better, more easily-verifiable paper trail.

On top of that, there's the arbitration clause, which will ensure users have as little leverage as possible should they be unhappy with Ancestry's services or handling of DNA data. This, too, is sadly a part of too many terms of service agreements. Arbitration forces users to play on the company's playground, rather than the more neutral field created by filing a civil complaint. This sucks, but once again, it's nothing that's unique to Ancestry.com.

What's most disturbing about Ancestry's growing DNA collection is something Glyn Moody highlighted here a couple of years ago.

According to an article on Fusion.net, Ancestry now has over 800,000 samples, while 23andMe has a million customers (Ancestry says that a more up-to-date figure is 1.2 million members in its database). Those are significant holdings, and it's only natural that the police would try to use them to solve crimes; both companies confirm that they will turn over information from their databases to law enforcement agencies if served with a suitable court order.

Customers' DNA info -- processed by Ancestry.com -- becomes nothing more than a third-party record. The company says it only complies with court orders, but there's a lack of specificity in that statement. A court order may be nothing more than a subpoena, rather than a search warrant. Third-party records have a lowered expectation of privacy, which means warrants aren't a necessity.

What makes this even more problematic is the company's willingness to hand over "familial" DNA -- in other words, DNA that isn't necessarily yours but comes from the same gene pool. Mixing this together raises the chance of false positives, which is never a good thing when someone's freedom is on the line.

And it's not just limited to police snooping. Ancestry is making this information available to private parties (see the perpetual license above), which could have adverse effects on people who've never used the service.

Buried in the “Informed Consent” section, which is incorporated into the Terms of Service, Ancestry.com warns customers, “it is possible that information about you or a genetic relative could be revealed, such as that you or a relative are carriers of a particular disease. That information could be used by insurers to deny you insurance coverage, by law enforcement agencies to identify you or your relatives, and in some places, the data could be used by employers to deny employment.”

This is a massive red flag. The data “you or a genetic relative” give to AncestryDNA could be used against “you or a genetic relative” by employers, insurers, and law enforcement.

The damage being done isn't theoretical. Glyn Moody's piece dealt with a man who became a suspect in a 20-year-old murder thanks to his father's DNA data (obtained by law enforcement from privately-held genetic databases). Winston's piece also covers the law enforcement aspects of Ancestry's license/sharing. But as the terms warn, insurers and employers could decide they want nothing to do with you, thanks to your familial DNA.

For example, a young woman named Theresa Morelli applied for individual disability insurance, consented to release of her medical records through the Medical Information Bureau (a credit reporting agency for medical history), and was approved for coverage. One month later, Ms. Morelli’s coverage was cancelled and premiums refunded when the insurer learned her father had Huntington’s disease, a genetic illness.

Startlingly, the Medical Information Bureau (MIB) used Morelli’s broad consent to query her father’s physician, a doctor with whom she had no prior patient relationship. More importantly, the applicant herself wasn’t diagnosed with Huntington’s carrier status, but she suffered exclusion on the basis of a genetic predisposition in her family.

Health care insurers are forbidden by federal law from using DNA data to deny coverage, but as Winston points out, nothing prohibits other insurers (life, long-term disability, etc.) from using this to decline coverage. And there's nothing at all in the law preventing employers from using DNA data to screen out potential employees who might be a net loss on company-provided insurance plans.

The upside is a $99 DNA test, something that used to be prohibitively expensive. The downside… well, it's pretty much everything else. In exchange for cheap testing, customers have to give up nearly everything. They can't easily stop the sharing of data, have limited ability to challenge information demands by law enforcement, and zero chance to fully control the use of data you've handed over to Ancestry.com. Information about how your DNA data is being used isn't easily obtained and anything insurers and employers are doing with this information is almost completely opaque. And, if you don't like it -- or feel Ancestry has managed to overstep the broad powers granted to it by its users -- you're stuck with arbitration as your only recourse.